dmitry Tue, 11 May 2010 10:41:19 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=299240
Log: Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/trunk/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-05-11 10:03:16 UTC (rev 299239) +++ php/php-src/branches/PHP_5_3/NEWS 2010-05-11 10:41:19 UTC (rev 299240) @@ -23,6 +23,9 @@ - Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey) +- Fixed a possible memory corruption because of unexpected call-time pass by + refernce and following memory clobbering through callbacks. + Reported by Stefan Esser (Dmitry) - Fixed a possible memory corruption in addcslashes(). Reported by Stefan Esser (Dmitry) - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2010-05-11 10:03:16 UTC (rev 299239) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2010-05-11 10:41:19 UTC (rev 299240) @@ -412,6 +412,12 @@ case IS_DOUBLE: case IS_BOOL: convert_to_string_ex(arg); + if (UNEXPECTED(Z_ISREF_PP(arg) != 0)) { + /* it's dangerous to return pointers to string + buffer of referenced variable, because it can + be clobbered throug magic callbacks */ + SEPARATE_ZVAL(arg); + } *p = Z_STRVAL_PP(arg); *pl = Z_STRLEN_PP(arg); break; Modified: php/php-src/trunk/Zend/zend_API.c =================================================================== --- php/php-src/trunk/Zend/zend_API.c 2010-05-11 10:03:16 UTC (rev 299239) +++ php/php-src/trunk/Zend/zend_API.c 2010-05-11 10:41:19 UTC (rev 299240) @@ -418,6 +418,12 @@ case IS_DOUBLE: case IS_BOOL: convert_to_string_ex(arg); + if (UNEXPECTED(Z_ISREF_PP(arg) != 0)) { + /* it's dangerous to return pointers to string + buffer of referenced variable, because it can + be clobbered throug magic callbacks */ + SEPARATE_ZVAL(arg); + } *p = Z_STRVAL_PP(arg); *pl = Z_STRLEN_PP(arg); break;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php